I had this issue and found it was caused default key setting in ~/.aws/credentials. We have a few AWS accounts for different customers plus a sandbox account for our own testing and research. So our credentials file looks something like this:

[default]

aws_access_key_id = abc

aws_secret_access_key = xyz

region=us-east-1


[cpproto]

aws_access_key_id = abc

aws_secret_access_key = xyz

region=us-east-1

[sandbox]

aws_access_key_id = abc

aws_secret_access_key = xyz

region=us-east-1

I was messing around our sandbox account but the [default] section was pointing to another account. Once I put the keys for sandbox into the default section the "kubectl get svc" command worked fine.

Seems we need a way to tell aws-iam-authenticator which keys to use same as --profile in the aws cli.

Change "name: kubernetes" to actual name of your cluster.

Here is what I did to work it through....

1.Enabled verbose to make sure config files are read properly.

kubectl get svc --v=10

2.Modified the file as below:

apiVersion: v1
clusters:
- cluster:
    server: XXXXX
    certificate-authority-data: XXXXX
  name: abc-eks
contexts:
- context:
    cluster: abc-eks
    user: aws
  name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      command: aws-iam-authenticator
      args:
        - "token"
        - "-i"
        - "abc-eks"
        # - "-r"
        # - "<role-arn>"
      env:
        - name: AWS_PROFILE
          value: "aws"

I have faced a similar issue, however this is not a direct solution but workaround. Use AWS cli commands to create cluster rather than console. As per documentation, the user or role which creates cluster will have master access.

aws eks create-cluster --name <cluster name> --role-arn <EKS Service Role> --resources-vpc-config subnetIds=<subnet ids>,securityGroupIds=<security group id>

Make sure that EKS Service Role has IAM access(I have given Full however AssumeRole will do I guess).

The EC2 machine Role should have eks:CreateCluster and IAM access. Worked for me :)

I guess you should uncomment "env" item and change your refer to ~/.aws/credentials Because your aws_iam_authenticator requires exact AWS credentials.

Refer this document: https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html

To have the AWS IAM Authenticator for Kubernetes always use a specific named AWS credential profile (instead of the default AWS credential provider chain), uncomment the env lines and substitute with the profile name to use.